The ICO exists to empower you through information.

Settings for privacy and data give users choice over how and when a service gathers, uses and shares their data with other users and third parties. These settings can relate to ongoing profile preferences or relate to a one-off use.

The Children’s code Default settings standard outline expectations for the design of online services likely to be accessed by children. The links below give examples and information on how these service features impact children’s rights under the UNCRC. We also offer code recommendations on how to positively support and mitigate risks to these rights in this context:

Article 6: Life, survival and development

Children have an inherent right to life and survival, and their physical and emotional development should not be impeded.

This right is at risk where services set data sharing with other service users to on by default. This may expose children to risk of physical or emotional harm (for example through stalking, bullying or harassment).                                 

Article 8: Development and preservation of identity

Children have a right to develop and preserve their identity, including:

  • nationality;
  • name;
  • family relations;
  • gender; and
  • other personal identity characteristics.

This right is at risk where services share children’s identity data with other users or third parties using on-by-default settings.

Article 12: Respect for the views of the child

Children who are capable of forming their own views have rights to express them, in all matters that affect them.

Services can support this right where privacy settings give children (and parents where appropriate) informed choices about how services use their data. This right is at risk where services do not provide privacy settings, or don’t meet the principles of the Transparency standard.

Article 15: Freedom of association

Children have a right to freely associate and gather with others in the real world and in the digital environment.

Services can support this right by providing off-by-default and transparent privacy settings that enable children to interact with each other online.

Article 16: Protection of privacy

Children have a right to be protected from arbitrary or unlawful interference with their privacy.

This right is at risk where services share children’s data with other users or third parties using on-by-default settings.

Article 19: Protection from violence, abuse and neglect

Children have a right to be protected from all forms of physical or mental violence, abuse, maltreatment or exploitation.

This right is at risk where on-by-default data sharing with other service users exposes children to risks of violence or abuse (for example through stalking or harassment).

Children’s code recommendations on privacy and data use settings:

  • Ensure you set the default settings to high privacy. This is unless you can demonstrate a compelling reason for a different default, taking into account the best interests of the child. For example:
    • to fulfil a legal obligation;
    • for safeguarding; or
    • if it is not possible to provide the essential elements of your service without doing so.
  • Ensure settings that allow you to share children’s data with other users or third parties are set to off by default. This is unless you can demonstrate a compelling reason for a different default, taking into account the best interests of the child.
  • Provide age-appropriate explanations and prompts at the point at which a child attempts to change a privacy setting.
  • Allow users the option to change settings permanently or just for the current use.
  • Retain user choices or high privacy defaults when you update the software.
  • If you provide an online service that allows multiple users to access the service from one device, then whenever possible you should allow users to set up their own profiles with individual privacy settings. This means that children do not have to share an adult’s privacy settings when they share the same device.
  • Do not nudge users to lower their high privacy default settings.